fix(lxc): lxc tty

[caarlos0]

📖 Description

Make the LXC backend usable end-to-end for an interactive sandboxed shell driven over a host pty (the model the GitHub Copilot CLI uses on Linux for its bash tool). Four stacked fixes — each was necessary, none was sufficient on its own.

1. attach_run: inherit parent stdio (a3f2a66)

Wires lxc-attach's stdin/stdout/stderr to the parent process so the inner shell shares whatever drives lxc-exec. Without this, the child gets a closed stdin and exits immediately on EOF — interactive shells can't survive their first read. Mirrors the AppContainer runner's pty sharing on Windows.

2. destroy(): skip the redundant lxc-stop (562cd5a)

lxc-destroy -f already force-stops a running container. We were also calling lxc-stop first, which waits up to 60 s for graceful shutdown. On distros that run systemd as PID 1 in unprivileged userns (anything ubuntu-class), init never cleanly responds to SIGPWR — the wait always times out before the force-stop step. Cleanup drops from ~60 s to ~0.2 s; alpine is unaffected.

3. attach_run: bridge through an inner pty with a detached ctty (49fbbb9)

The inherit-stdio fix from #1 got bash booting and printing its prompt, but the shell then ignored everything the host wrote. Two compounding root causes:

• Pre-buffered input was discarded. Bash's readline init calls tcsetattr on its stdin, which can flush bytes the parent buffered into the pty before bash got there. Anything the CLI pre-sent (e.g. its shell-init wrapper) was lost.
• lxc-attach bypassed our slave fds. When it inherits a controlling terminal from the parent, it forwards the inner container pty's I/O straight to /dev/tty instead of using the stdio slots. Bash's prompt reached our screen but the master fd we kept stayed empty, so there was no way to forward host stdin into bash either.

Fix:

• Allocate an inner pty pair via nix::pty::openpty. Give the slave to lxc-attach (and thus bash) for stdin/stdout/stderr; keep the master in the parent.
• In pre_exec: setsid() to drop the inherited controlling terminal, then ioctl(TIOCSCTTY) on fd 0 so lxc-attach adopts our slave as its new ctty. This is what makes the slave fds actually carry the data.
• Output thread copies master → host stdout, signaling "ready" on the first byte from inside the container (bash is past readline init at that point and safe to feed).
• Input thread waits for "ready" (capped at 5 s; the higher-level command timeout takes over from there) before forwarding host stdin → master.

Adds the term feature to the workspace nix dependency so pty::openpty is available.

4. lxc-exec: destroy the active container on fatal signals (f146e9f)

LxcScriptRunner::run_internal only calls container.destroy() after attach_run returns. When the runner is killed by a fatal signal — its parent exited, or it received SIGHUP/SIGTERM/SIGINT — the in-flight attach_run is interrupted and the destroy block is never reached, leaving the container running indefinitely (lxc-ls lists it long after the CLI session that spawned it is gone).

Install a signal_cleanup watchdog in lxc-exec's main:

• Block SIGHUP/SIGTERM/SIGINT in the calling thread before any other thread is spawned, so all later threads inherit the blocked mask.
• A dedicated thread sigwaits for any of those signals, destroys the currently active container, and exits with 128 + signo so the parent sees a normal signal-style exit.

LxcScriptRunner::run_internal registers the active container name with the watchdog right after resolving it, so the cleanup window covers create/start/attach as well as the normal post-attach destroy path.

🔗 References

Surfaced while wiring up Linux sandbox support in the GitHub Copilot CLI runtime. Tested against the createConfigFromPolicy migration in copilot-agent-runtime#7767.

🔍 Validation

• cargo test -p lxc_common --lib — 25/25 unit tests green on host (macOS arm64) and target (linux/aarch64-unknown-linux-gnu).
• cargo check -p lxc_common --target aarch64-unknown-linux-gnu clean.
• End-to-end manual test on Ubuntu Resolute (arm64, OrbStack VM) running the Copilot CLI's sandboxed bash tool: container creates, bash boots, the CLI's init wrapper executes, commands run, output streams back, container destroys in <1 s. Repeated successfully across 10+ invocations with no ABORTING start failures or 60 s teardown waits.
• Signal cleanup verified by SIGTERM/SIGINT'ing lxc-exec mid-run: container is destroyed before the process exits, lxc-ls shows no orphaned containers across repeated runs.

✅ Checklist

• Signed the Contributor License Agreement
• Linked to an issue
• Updated documentation (if applicable)
• Updated Copilot instructions (if build, architecture, or conventions changed)

📋 Issue Type

• Bug fix
• Feature
• Task

refs https://github.com/github/copilot-agent-runtime/issues/164

Microsoft Reviewers: Open in CodeFlow

[caarlos0]

@bbonaby thanks for the review, updated!

[caarlos0]

failing tests are on main as well - ignoring.

[bbonaby]

@Caarlos, I merged a PR that should fix those errors you were getting. If you merge with main and fix the conflict we should see all green after

[caarlos0]

@bbonaby done! thank you

[Copilot]

Pull request overview

This PR updates the Linux LXC backend to better support interactive PTY-driven shell sessions and to clean up active containers when lxc-exec is terminated by common fatal signals.

Changes:

• Adds signal-based cleanup tracking for the active LXC container.
• Reworks lxc-attach execution to bridge through an inner PTY with controlling-terminal setup.
• Simplifies LXC destruction via lxc-destroy -f and enables the nix term feature.

Show a summary per file

File	Description
src/lxc/src/main.rs	Installs LXC signal cleanup early in lxc-exec startup.
src/lxc_common/src/signal_cleanup.rs	Adds active-container tracking and a signal watchdog thread.
src/lxc_common/src/lxc_runner.rs	Registers the active container name for signal cleanup.
src/lxc_common/src/lxc_bindings.rs	Adds PTY-backed attach_run, adjusts LXC path cfg handling, and simplifies destroy.
src/lxc_common/src/lib.rs	Exports the new signal cleanup module.
src/Cargo.toml	Enables the nix term feature for PTY support.

Copilot's findings

• Files reviewed: 6/6 changed files
• Comments generated: 5

[caarlos0]

Addressed the latest review pass:

• Signals stay blocked in the inner shell (lxc_bindings.rs:276) → 13d644d. pre_exec now restores the default mask before exec so Ctrl-C / termination work inside the attached shell.
• set_active runs even when destroyOnExit=false (lxc_runner.rs:103) → d752012. Registration is gated on self.destroy_on_exit so a SIGTERM no longer deletes a container the caller asked to keep.
• Failed watchdog spawn leaves signals blocked (signal_cleanup.rs:69) → 1a9d6a4. install() calls thread_unblock() on spawn failure, defers INSTALLED until the watchdog is actually running, and lxc-exec's main now exits 1 on install failure instead of warning and continuing.
• iptables chain/FORWARD hook leaks on fatal signal (signal_cleanup.rs:91) → 7783829. Watchdog now tracks the host-side veth alongside the container name and tears down iptables before destroying the container; new NetworkIptablesManager::force_cleanup does the recovery without owning the original manager.
• Comment overstated timeout protection (lxc_bindings.rs:333) → folded into 13d644d. Comment now says the 5 s gate only delays the stdin forwarder; real timeout enforcement is still tracked by the existing TODO in lxc_runner.

cargo fmt, cargo clippy --target aarch64-unknown-linux-gnu -- -D warnings, and cargo test -p lxc_common (25 passed) all green.

[bbonaby]

Thanks!

[bbonaby]

We have a few more PRs we probably want to get in before we spin up another release. #284, #288, and #308. potentially #306 and #307 as well. Will keep you posted.

[caarlos0]

cool, FWIW seems like PTY is not working on macos seatbelt as well, working on a fix 🙏🏻

[bbonaby]

Thanks for the catch! I created this issue: https://github.com/microsoft/mxc/issues/311 feel free to update it however you wish with more details if you want. CC: @richiemsft, not sure if #288 will fix it.